Bugs in the bluetooth make access points a sad boy.
The details: Two new zero-day vulnerabilities were discovered this year in Bluetooth Low Energy (aka Bluetooth Smart) chips produced by manufacturer Texas Instruments used by billions of devices across the globe.
The primary threat is the fact that the chips are used by the biggest network operators in the world: Cisco, Meraki and Aruba. The chips, “are used by roughly 70 to 80 percent of wireless access points” from those three networks, making the vulnerability a major concern for enterprises.
Discovered by security firm Armis, the vulnerabilities have been dubbed “Bleedingbit.” BLE is used in nearly every device these days, including all major operating systems and mass market consumer devices.
According to ZDNet, the first vulnerability impacted Cisco and Meraki access points:
Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory.
If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code.
Bleedingbit attacks cannot be detected by traditional antivirus products, according to Armis.
Why it matters: Sometimes, no matter what you do, third-party vulnerabilities will find you. One would hope that it’s a small issue … not a fundamental flaw in a Bluetooth chip which reaches millions, if not billions, of devices worldwide.
Of the two vulnerabilities, one is nearly unconscionable: a leftover backdoor development tool. The backdoor opens the ability for an attacker to completely rewrite the firmware, “effectively rewriting the operating system of the device.” That is not just a security hole, that is a gaping mouth of hell.
According to ZDNet:
Together, both vulnerabilities can give threat actors almost unlimited opportunities to wreak havoc inside an enterprise system -- including device hijacking, tampering with operating systems, executing malware payloads, reading network traffic, and moving laterally between network segments.
Cisco, Meraki and Aruba were notified of the vulnerabilities in June. Manufacturers which use the vulnerable Texas Instrument chip are advised to upgrade to the latest Bluetooth Low Energy stack (version 2.2.1).
Vulnerabilities at this foundational level and scale could be the type that could linger in networks and devices for quite a while.
The hacker perspective:
Randori product manager Ian Lee says,
"The proliferation of BLE enabled access points and beacons, like Wifi before it poses new risks. While more research is needed on these specific vulnerabilities, the fact that Bluetooth is disabled by default on most of these devices, that any attack would require local access and that updates have already been released makes the overall threat posed likely low. As with any known weakness, those running these devices should look to update their devices."